Security Hub

Bring your software development workflows to security

logo-ruby-unpack-integer-overflow

Ruby unpack Integer Overflow

Signals & Triggers

On String#unpack call
If argument @ triggers an integer overflow in the format string

Actions

  • Block the HTTP request Block the HTTP request

Notifications

  • Send an email to all team members Send an email to all team members
  • Send a Slack notification. Send a Slack notification.
  • POST to your Webhook. POST to your Webhook.
  • Send to New Relic Insights. Send to New Relic Insights.

Details

CVE-2018-8778 is a buffer under-read that is triggered by String#unpack. This method decodes str according to the provided string format, returning an array of each value extracted. It can specify the position of the data being parsed by the specifier @.

If a significant number is passed with @, the number is treated as a negative value, and unpack skips a negative amount of bytes. This is where the out-of-buffer read occurs. So an attacker could use this to read sensitive data on the heap. This article explains the vulnerability in detail.

This page describes the vulnerable versions of Ruby..

Advanced details

Sqreen hooks the String#unpack method and checks that the argument containing @ (if any) doesn’t include a large offset in the format string. The key here is to make sure this format string is not coming from the current request parameters.

So the rule we implemented looks a bit like:

TWO_GIGABYTES= 2**31
return false unless format_string.include?('@')
return false unless user_parameters.include?(format_string)
offset = parse(format_string)
return offset > TWO_GIGABYTES

Language support

  • Ruby

Data collected by Sqreen

Signals

NA


On attack
  • Malicious request
  • Attacker IP
  • Attacker account (Sqreen SDK)

Built for developers and modern apps

Get up and running in minutes just by installing our lightweight library. Enable plugins in just a couple of clicks.

  • Node.js
  • Ruby
  • PHP
  • Python
  • Java
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9

$ npm install --save sqreen

$ echo '{ "token": "your token" }' > sqreen.json

 

// This should be the first line of your app

require('sqreen');

$ echo "gem 'sqreen'" >> Gemfile

$ bundle install

$ echo "token: your token" >> config/sqreen.yml

$ curl -s https://download.sqreen.io/php/install.sh > sqreen-install.sh && bash sqreen-install.sh your token

$ pip install sqreen

$ echo -e '[sqreen]\ntoken: your token' >> sqreen.ini

 

# Insert at the top of your app file (typically wsgi.py or app.py)

import sqreen

sqreen.start()

$ curl https://download.sqreen.io/java/sqreen-latest-all.jar -o sqreen-latest-all.jar

 

// Next, edit the JVM startup file:

-javaagent:/path/to/sqreen-agent.jar -Dsqreen.token={{your token}}

Build amazing products. Keep them safe.

3 min installation · Try all features for 7 days · No credit card required Get started Request demo